Hello,
This is my first time doing this (url filtering and attempt to block user from downloading) for learning sake and for my future work with firewalls.
No one is an expert in using a product the first time, instead of asking for answers research it yourself first then post a question when you encounter problem in this way you will learn faster and remember quicker. Anyway...here's my configuration which is not perfect but should work......
First if you have no idea how to start read my blog: http://cyruslab.wordpress.com/2012/08/11/asa5505-8-439-quick-start-to-connect-to-your-internet/ to get your internet running first.
I use regular expression to group the file type exe, zip, tar, pdf, as long as in the url it contains this extension no matter which website the connection will be reset.
Create regex by searching for extension that ends with the ones stated above
regex ext-type1 ".*\.([Ee][Xx][Ee]|[Zz][Ii][Pp]|[Tt][Aa][Rr]|[Pp][Dd][Ff])"
Create regex that matches http headers with content-type application/(everything)
regex content-type "Content-Type"
!There are a lot of application such as application/pdf blah blah blah...the * is a wildcard that matches all.
regex app-header "application/.*"
Create class-map to group ext-types
class-map type regex match-any block-ext
match regex ext-type1
Actually you do not need to create a class-map for this, but using nested class-maps make your configuration more scalable (I say nested because this class-map will be used again within another class-map), next time if you need to add more extensions simply create another regex and match it within block-ext class-maps and your changes would take effect immediately with your new sets of extensions.
Create class-map to group http headers
class-map type inspect http match-all app-header-class
match response header regex content-type regex app-header
When inside host surf the web and request for to download app that matches application/* the response will be captured by the ASA. This configuration captures and groups the response.
Create class-map to group http request
class-map type inspect http match-all block-ext-class
match request uri regex class block-ext
Now this is the nested class-map, remember that i created another class-map known as block-ext? This configuration captures your inside host request and group them if it matches block-ext.
Create access-list and class-map to group http traffic only so that policy can be applied to these traffic.
access-list http-group extended permit tcp any any eq www
access-list http-group extended permit tcp any any eq 8080
class-map http-only
match access-list http-group
These are the interesting traffic which the policy be applied to.
Define http inspection policy
policy-map type inspect http http-inspection-policy
parameters
protocol-violation action drop-connection log
class app-header-class
drop-connection log
class block-ext-class
reset log
These configurations are for policy creation, if http packet is malformed it will be drop and log, if matches the response app-header-class connection is dropped, if matches the request block-ext-class the connection is reset (i.e. user immediate sees page not found on his/her web browser)
Attached the policy into the interesting traffic
policy-map inside-http-policy
class http-only
inspect http http-inspection-policy
Now the above policy creation will be applied to the interesting traffic.
Apply the policy into the inside interface
service-policy inside-http-policy interface inside
The above policy is not taken into effect until you applied to an interface.
